Remove connected user identities for SAML SSO

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Problem

After being able to list relevant user identities in #35308 (closed), we should give a group Owner the ability to remove them in order to troubleshoot SSO connection problems.

Proposal

Introduce a "Remove" button next to user identities associated with the relevant SSO provider.

• Show a confirmation dialog on clicking "Remove".

For the first iteration, do not present this removal option for Owners.

Mock

Add a icon to remove on the far right column of the identities table. Use the same iconography we use in the Members table:

Present a confirmation prompt after clicking to remove.

Open questions

• Do we expect removal to remove both the identity link and user membership? Should an owner be able to remove their own identity, would that keep memberhsip for the last owner of a group, and how would that work if enforcement is enabled?
• How do we anticipate this working with Group Managed Accounts? Does the account get closed? How do we communicate that in the UI?
• If this is on a new page/tab/expandable-section how should we present that or link to it? Need input from UX and frontend
• Will group owners know that removing an identity is the path to allowing a user to sign in again?
• If SCIM has created duplicate accounts due to email mismatch, will this leave behind orphan accounts that can't be signed into? These could prevent new accounts being created if the primary email then remains taken. Would we need to relax our support policies to allow these accounts to be removed more easily without proving ownership per user?
• Does this duplicate functionality from the Members page? Would editing make more sense here if membership can already be removed there? Should the editing functionality be provided from that page?
• Do we need to guard against accidental removals if this removes membership as well as the identity? The instance wide version has less impact because it only removed the identity.

Availability & Testing

This feature appears to be low risk in terms of GitLab.com availability. Appropriate tests at unit and feature level should be added. No end-to-end tests needed.

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.